On April 23, the National Security Agency (NSA) joined the United Kingdom’s National Cyber Security Centre, the Australian Signals Directorate’s Australian Cyber Security Centre, and others in releasing the joint Cybersecurity Advisory, “Defending against China-nexus covert networks of compromised devices.”
The CSA details how multiple China-nexus threat actors are now using external covert networks to facilitate malicious cyber activity strategically, at scale. These dynamic covert networks include botnets that leverage many compromised devices to connect across the internet in a low-cost, low-risk, deniable way, disguising the origin and attribution of malicious activity. These botnets frequently include compromised small office/home office network infrastructure (routers, firewalls, network attached storage, etc.) and internet of things devices (web cameras, video recorders, smart devices, etc.).
While many new covert infrastructure networks are regularly developed and deployed for use by multiple China-nexus threat actors, existing networks are also updated because of defensive or legal action, software updates, or new exploits being used to target different technologies, according to the CSA. This renders a detailed list of all known networks (how they are constructed and communicated) and previous defense paradigms ineffective. Legitimate users also browse the internet using the networks and devices involved, making attribution of the malicious activity challenging. However, since most networks of compromised infrastructure use the same basic set up, understanding the generalized structure can help aid in defensive efforts.
This CSA explains the widespread shift in tactics, techniques, and procedures by malicious cyber actors away from using individually procured infrastructure to multiple externally managed large covert networks used by many actors simultaneously. It describes the typical makeup of a covert network and how it is used, and includes protective advice for organizations targeted by cyber activity using a covert network as an access vector. Additionally, the guidance outlines tailored steps organizations of all sizes can take to mitigate the risk of attacks.
Anyone who is a target of China-nexus threat actors may be impacted by the use of covert networks, and anyone using a vulnerable device could have their device co-opted into one of these China-nexus covert networks. Cybersecurity analysts and network defenders — including those protecting national security, Department of War, and Defense Industrial Base systems — are advised to use the protective advice and mitigations listed in this CSA to thwart malicious activities.
Read the full report.
Source: NSA
If you enjoyed this article, please consider becoming a paid subscriber. Your support helps keep our site ad-free.
By Loren Blinde
April 28, 2026
